Posted by Stefan Eberhardt | November 29, 2018
So back at S&T/Kontron, we decided to revive the security topic on our blog. It is quite broad so let's slice and dice it down to smaller parts. Let's start with the obvious: everybody needs security and wants security, but the question how much, where and which type of security is a more tricky one because it determines how much security will cost at the end of the day. So yes - the sad news is: security costs money but - and that’s the good news - usually it is affordable.
My tip: Try to prevent panic and higher costs!
Before we go into details, here are a few words about motivation. My experience is, when something happens (of course nobody should talk about) - like a production that is standing still, let's say maybe for a week: People are in panic mode and buy stuff very quickly that retrofits security into their systems. That’s good for me because there are no negotiations about the price. The only problem: planning is hard and causes overtime and stress for everybody. So what I want to say is, that realizing a security solution on a more planned basis makes sense for every party involved, because it's cheaper and yes: we can have a discussion about the list pricing.
Always remember the ‘top=>bottom-principle’
So when we talk about how much security you need, it’s important to understand that we always have to look at the on-site setup and environment of our end product and then breaking this down. So it's a top=> bottom process! I regularly see some companies working it the other way around with the argumentation: “you provide a small piece of my solution, make it secure please, so my overall system is secure too“. The problem: the same component is needed by a different customer in a different setup. So always remember the ‘top=>bottom-principle’.
Don't get me wrong, we like to provide secure products but we need to know the specific requirements. Starting by rival stuff, like where you want to sell the product (export regulations), is the product connected, who will access the product in which way, which software components are running on the system, and of course the simple question: what am I securing at the end of the day?
The last one is very important - after answering it, security gets affordable!
Determine the border conditions and keep calm
So before we step into more technical stuff in the next articles, there are two additional things to be considered: Although there are a lot of technical solutions for specific aspects of security out on the market, don't let yourself get caught by one. Determine the technical solution after you've determined the border conditions!
And the other thing: everything can be broken, it's only a question of resources. So when you see a security expert constructing something by combining five potential security breaches - don't worry, keep calm and continue reading the next article, with IoT focus.